Feature Request: Alpine support for ssh hardening

[haxwithaxe]

Description

It would be nice to have support for Alpine Linux in the various parts of this collection. In particular I'm interested in the SSH hardening part. Better security automation for a popular distribution has obvious benefits such as a lower barrier to good security hygiene.

Solution

Adding a vars file for Alpine seems to be sufficient for a lot of the functionality. I haven't fully exercised the ssh hardening functionality (ie nothing to do with SELinux) so I don't know how hard it would be to fully implement but copying and pasting the Debian.yml and lightly modifying it was enough for me to do what I needed. Below is the snippet from the group_vars I used successfully.

...
os_vars:
  sshd_path: /usr/sbin/sshd
  ssh_host_keys_dir: /etc/ssh
  sshd_service_name: sshd  # changed from `ssh`
  ssh_owner: root
  ssh_group: root
  ssh_host_keys_owner: root
  ssh_host_keys_group: root
  ssh_host_keys_mode: '0600'
  ssh_selinux_packages: []  # changed from a list of packages

  # true if SSH support Kerberos
  ssh_kerberos_support: true

  # true if SSH has PAM support
  ssh_pam_support: true

  sshd_moduli_file: /etc/ssh/moduli

  sshd_disable_crypto_policy: false
...

Alternatives

As described above manually adding an os_vars based on Debian's to the relevant group_vars in my playbook was enough for my limited purposes.

Additional information

If there is interest in this feature but no bandwidth available to implement it in the project I may be able to provide a PR so let me know If you're interested. I really like this project and it would be great to help out if it's desired.

[schurzi]

We are open to adding Alpine support. So if you want, please create a PR. Thanks a lot in advance!